CyberCrime & Doing Time

Tuesday, October 23, 2018

Clement Onuama and Orefo Okeke were arrested on November 1, 2017 in the Western District of Texas after receiving a complaint and warrant from the District of Wisconsin, that the pair were involved in Romance Scams and Business Email Compromise Scams.

According to the Criminal Complaint and Indictments from the case, from 2010 until at least December 2016, in the Western District of Wisconsin and elsewhere Clement Onuama and Orefo Okeke knowingly conspired with each other and persons known and unknown to the grand jury, to commit and cause to be committed offenses against the United States, namely: wire fraud, in violation of Title 18, United States Code, Section 1343.

They used Romance fraud scams, developing relations via email, chat apps, and telephonic conversations. Eventually the person that posed as the victim's online partner requested each victim for financial assistance. They told the victims that they needed funds in order to release a much larger sum of money that was frozen by a foreign country.

They also used Business email compromise scams, primarily by sending email messages that altered wire instructions causing funds to be deposited into accounts controlled by the criminals. Often these emails were "spoofed" to appear to come from an employee or officer of their company. During several such scams, the real officer was traveling.

The deposited funds went into bank accounts of "nominees and shell entities" and were quickly converted to cash and cashier's checks, with a portion of the funds wired overseas. The criminals also failed to pay taxes on their proceeds.

$3,259,892 in transfers were attempted and the actual fraud losses were $2,678,328. The proceeds laundered by Onuama totalled $428,346. The proceeds laundered by Okeke totalled $538,100.

Details of the Wisconsin BEC Fraud Scam

On or about February 19, 2014 at 10:02 am, an email puporting to be from Sarah Smith from the email ssmith@title-pros.com was sent in reply to real estate agent Terrell Outlay of Madison, Wisconsin asking him to update wire instructions that were sent a few days before. The email had an attachment from Portage County Title, on Portage County Title letterhead, updating the details and indicating funds should be sent to a Wells Fargo Bank account in Bettendor, Iowa in the name of TJ Hausch.

$123,747.54 was wired later that day.

On the same day, a wire transfer from Tammy Hausch's Wells Fargo bank account ending in 9492 sent $80,000 to a Wells Fargo bank account ending in 6411 held by Clement C. Onuama of Grand Prairie, Texas. Clement withdrew $10,000 in cash that day, $20,000 in cash the following day, and purchased a cashier's check for $28,885 from the account. On March 11, 2014, a check for $10,000 was sent from Okeke to Onuama, who cashed it.

An Affidavit from a Treasury Agent shares more details. Terrell Outlay was a new real estate agent who had recently relocated from Chicago. Outlay is believed to have had malware planted on his computer in relation to a home sale that he negotiated in January 2014.

After receiving the email from ssmith@title-pros.com, instructing the agent to have his client, Dynasty Holdings, wire $123,747.54 to the TJ Hasuch Wells Fargo account. He was contacted by the REAL Sarah Smith on February 25, 2014 to inform him the funds were never received into the BMO Harris Account which had been agreed to at closing. Outlay reported the situation to his boss, who contacted the Madison Police Department.

Although the email of February 19, 2014 seemed to be from ssmith@title-pros.com, the headers revealed it was sent from 162.144.88.87 and the actual email was ssmith.title-pros@outlook.com.

A second email, confirming to Mr. Outlay that the new account should be used: "Yes!! TJ Hausch Wells Fargo" -- used the email server located at web1.sh3lls.net with IP address 64.32.14.162 and the same outlook account, "ssmith.title-pros@outlook.com"

Four additional pieces of email correspondence used the same "sh3lls.net" IP and return address. Legitimate emails from Sarah Smith were sent from a Charter Communications IP address, confirmed by subpoena to belong to Portage County Title in Stevens Point, Wisconsin.

The sh3lls.net IP belongs to Sharktech in Chicago, Illinois, and that particular IP address was leased from August 13, 2013 to March 24, 2014 by a Singapore-based company called Surat IT Pte. Ltd. It was used to host hundreds of websites. The other IP address, 162.144.88.87, was confirmed to be a Unified Layer IP address operated by Bluehost. The customer of record at that time was Hind Jouini of Dubai, UAE.

The additional funds from the Tammy Hausch account were sent to a Bank of America account ending in 9593 held by P.M. Voss of Costa Mesa, California.

Tammy Hausch was interviewed by the US Secret Service in Madison, Wisconsin. She was unaware of the source of the $123,000. She had actually performed four similar transactions in the past, all at the bequest of her online boyfriend, Brian Ward, with whom she had communicated exclusively online. Brian needed her help because he and his friends had funds that were locked up in Spain and he needed additional funds to pay to have those funds released.

Hausch had previously received a $12,112 check from the IRS addressed to Brian and Patricia Downing. "Brian Ward" said that Patricia Downing was the maiden name of his deceased wife.

Brian Downing was interviewed and reported that when he attempted to file his 2013 taxes, he learned they had already been filed and that an unauthorized tax refund of $12,112 had already been paid to a Wells Fargo account ending in 9492. He confirmed his wife Patricia was not deceased and introduced her to the agent.

More BEC Fraud Linked to the Case

On August 23, 2016, Anessa Hazelle, the financial controller of Ocean Grove Development of Basseterre, Saint Kitts, West Indies told the Treasury investigator that on November 30, 2015, an email claiming to be from her supervisor, Nuri Katz, urged her to wire $84,100 to D&D Serv, Inc of Grand Prairie, Texas, to pay an invoice for the purchase of "VxWorks Proll" for $84,100. Hazelle did as she was ordered, and sent the funds. Katz was on a flight to Russia at that time. After she landed, they had a telephone conversation and learned that this email had been fraudulent.

Katz true email was "nkatz@apexcap.org" but the email with the wire transfer instructions was from "nkatz@adexec.com" - similar enough that Hazelle did not notice the difference. The funds were sent to a Capital One Bank account ending in 8232.

That Capital One acount was opened by Clement C. Onuama d/b/a D&D Serv, Inc, of 2621 Skyway Drive, Grand Prairie, Texas. Onuama was the sole signatory of the account.

On July 26, 2016, Daniel Yet, the owner of D&T Foods of Santa Clara, California, relayed a similar experience. His personal investment account at TD Ameritrade was managed by Bao Vu. On June 29, 2015, while Yet was traveling overseas on vacation, Vu attempted to contact him to verify a wire transfer request sending $22,000 to a Regions Bank account ending in 6870 for Sysco Serve. Since Vu could not reach Yet, and the matter had been described as urgent, Vu went ahead with the wire. A SECOND request came through asking for an additional $30,000 to be sent.

The Regions Bank account ending in 6870 was opened by Orefo S. Okeke d/b/a Sysco Serve, with the same address as the Capital One account controlled by Onuama above, 2621 Skyway Drive, Grand Prairie, Texas!

The 6870 Regions account made a payment of $15,000 on July 1, 2015 (two days after the deposit from Mr. Yet's TD Ameritrade account) to another Regions Bank account ending in 6452.

Letters from Okeke

The defense entered seven letters to be considered during the sentencing hearing. In the first, Orefo explains that when he first came to America, he made a business of buying used American cars and reselling them in Nigeria. He ended up in financial hardship, which he blames partly on medical bills for his sick father and partly on caring for his wife and two step children. He was approached by others in Nigeria who needed his assistance in converting US dollars to Nigerian Niara.

The other letters explained how Orefo was kind enough to hire a convicted felon to work for him, and a disabled veteran. One letter, from his Aunty, says he is kind and loves animals. His wife begs the mercy of the courts and explains how much her children miss him. Okeke's brother in South Africa explains to the judge that his brother is an honest God-fearing man and that his pleading guilty demonstrates his honesty, and that this trial caused the death of their father and now their mother's health is also on the line. His uncle writes how sad it is that the judge has incarcerated his nephew for a non-violent first time offense causing him to miss his sister's wedding and his father's funeral. A friend explains Okeke's very good moral character and how he always operates with integrity.

On the other hand, the FBI says that Business Email Compromise has stolen $12 Billion dollars, and that just from June 2016 to May 2018 they have identified 30,787 victims, of which 19,335 of them were in the United States. Records from October 2013 to May 2013 actually show at least 119,675 victims! Hopefully the examples shared above will help us realize more about how these people come to be victims -- often losing their entire life savings, or funds that cause them to no longer be able to buy a house or continue the operation of a business!

Monday, October 22, 2018

Project Lakhta is the name of a Russian project that was further documented by the Department of Justice last Friday in the form of sharing a Criminal Complaint against Elena Alekseevna Khusyaynova, said to be the accountant in charge of running a massive organization designed to inject distrust and division into the American elections and American society in general.

https://www.justice.gov/opa/press-release/file/1102316/download

In a fairly unusual step, the 39 page Criminal Complaint against Khusyaynova, filed just last month in Alexandria, Virginia, has already been unsealed, prior to any indictment or specific criminal charges being brought against her before a grand jury. US Attorney G. Zachary Terwilliger says "The strategic goal of this alleged conspiracy, which continues to this day, is to sow discord in the U.S. political system and to undermine faith in our democratic institutions."

These entities employed hundreds of individuals in support of Project Lakhta's operations with an annual global budget of millions of US dollars. Only some of their activity was directed at the United States.

Prigozhin and Concord

Concord Management and Consulting LLC and Concord Catering (collectively referred to as "Concord") are related Russian entities with various Russian government contracts. Concord was the primary source of funding for Project Lakhta, controlling funding, recommending personnel, and overseeing activities through reporting and interaction with the management of various Project Lakhta entities.

Yevgeniy Viktorovich Prigozhin is a Russian oligarch closely identified with Russian President Vladimir Putin. He began his career in the food and restaurant business and is sometimes referred to as "Putin's Chef." Concord has Russian government contracts to feed school children and the military.

Prigozhin was previously indicted, along with twelve others and three Russian companies, with committing federal crimes while seeking to interfere with the US elections and political process, including the 2016 presidential election.

Project Lakhta internally referred to their work as "information warfare against the United States of America" which was conducted through fictitious US personas on social media platforms and other Internet-based media.

Lakhta has a management group which organized the project into departments, including a design and graphics department, an analysts department, a search-engine optimization ("SEO") department, an IT department and a finance department.

Khusyaynova has been the chief accountant of Project Lakhta's finance department since April of 2014, which included the budgets of most or all of the previously named organizations. She submitted hundreds of financial vouchers, budgets, and payments requests for the Project Lakhta entities. The money was managed through at least 14 bank accounts belonging to more Project Lakhta affiliates, including:

Project Lakhta Spending

Monthly reports were provided by Khusyaynova to Concord about the spendings for at least the period from January 2016 through July 2018.

A document sent in January 2017 including the projected budget for February 2017 (60 million rubles, or roughly $1 million USD), and an accounting of spending for all of calendar 2016 (720 million rubles, or $12 million USD). Expenses included:

Other expenses were for Activists, Bloggers, and people who "developed accounts" on Twitter to promote online videos.

In January 2018, the "annual report" for 2017 showed 733 million Russian rubles of expenditure ($12.2M USD).

More recent expenses, between January 2018 and June 2018, included more than $60,000 in Facebook ads, and $6,000 in Instagram ads, as well as $18,000 for Bloggers and Twitter account developers.

Project Lakhta Messaging

From December 2016 through May 2018, Lakhta analysts and activist spread messages "to inflame passions on a wide variety of topics" including:

immigration

gun control and the Second Amendment

the Confederate flag

race relations

LGBT issues

the Women's March

and the NFL national anthem debate.

Events in the United States were seized upon "to anchor their themes" including the Charleston church shootings, the Las Vegas concert shootings, the Charlottesville "Unite the Right" rally, police shootings of African-American men, and the personnel and policy decisions of the Trump administration.

Many of the graphics that were shared will be immediately recognizable to most social media users.

"Rachell Edison" Facebook profile

The graphic above was shared by a confirmed member of the conspiracy on December 5, 2016. "Rachell Edison" was a Facebook profile controlled by someone on payroll from Project Lakhta. Their comment read "Whatever happens, blacks are innocent. Whatever happens, it's all guns and cops. Whatever happens, it's all racists and homophobes. Mainstream Media..."

The Rachell Edison account was created in September 2016 and controlled the Facebook page "Defend the 2nd". Between December 2016 and May 2017, "while concealing its true identity, location, and purpose" this account was used to share over 700 inflammatory posts related to gun control and the Second Amendment.

Other accounts specialized on other themes. Another account, using the name "Bertha Malone", was created in June 2015, using fake information to claim that the account holder lived in New York City and attended a university in NYC. In January 2016, the account created a Facebook page called "Stop All Invaders" (StopAI) which shared over 400 hateful anti-immigration and anti-Islam memes, implying that all immigrants were either terrorists or criminals. Posts shared by this acount reached 1.3 million individuals and at least 130,851 people directly engaged with the content (for example, by liking, sharing, or commenting on materials that originated from this account.)

Some examples of the hateful posts shared by "Bertha Malone" that were included in the DOJ criminal complaint, included these:

The latter image was accompanied by the comment:

"Instead this stupid witch hunt on Trump, media should investigate this traitor and his plane to Islamize our country. If you are true enemy of America, take a good look at Barack Hussein Obama and Muslim government officials appointed by him."

Directions to Project Lakhta Team Members

The directions shared to the propaganda spreaders gave very specific examples of how to influence American thought with guidance on what sources and techniques should be used to influence particular portions of our society. For example, to further drive wedges in the Republican party, Republicans who spoke out against Trump were attacked in social media:
(all of these are marked in the Criminal Complaint as "preliminary translations of Russian text"):

"Brand McCain as an old geezer who has lost it and who long ago belonged in a home for the elderly. Emphasize that John McCain's pathological hatred towards Donald Trump and towards all his initiatives crosses all reasonable borders and limits. State that dishonorable scoundrels, such as McCain, immediately aim to destroy all the conservative voters' hopes as soon as Trump tries to fulfill his election promises and tries to protect the American interests."

"Brand Paul Ryan a complete and absolute nobody incapable of any decisiveness. Emphasize that while serving as Speaker, this two-faced loudmouth has not accomplished anything good for America or for American citizens. State that the only way to get rid of Ryan from Congress, provided he wins in the 2018 primaries, is to vote in favor of Randy Brice, an American veteran and an iron worker and a Democrat."

Frequently the guidance was in relation to a particular news headline, where directions on how to use the headline to spread their message of division where shared. A couple examples of these:

After a news story "Trump: No Welfare To Migrants for Grants for First 5 Years" was shared, the conspiracy was directed to twist the messaging like this:

"Fully support Donald Trump and express the hope that this time around Congress will be forced to act as the president says it should. Emphasize that if Congress continues to act like the Colonial British government did before the War of Independence, this will call for another revolution. Summarize that Trump once again proved that he stands for protecting the interests of the United States of America."

In response to an article about scandals in the Robert Mueller investigation, the direction was to use this messaging:

"Special prosecutor Mueller is a puppet of the establishment. List scandals that took place when Mueller headed the FBI. Direct attention to the listed examples. State the following: It is a fact that the Special Prosector who leads the investigation against Trump represents the establishment: a politician with proven connections to the U.S. Democratic Party who says things that should either remove him from his position or disband the entire investigation commission. Summarize with a statement that Mueller is a very dependent and highly politicized figure; therefore, there will be no honest and open results from his investigation. Emphasize that the work of this commission is damaging to the country and is aimed to declare impeachement of Trump. Emphasize that it cannot be allowed, no matter what."

Many more examples are given, some targeted at particular concepts, such as this direction regarding "Sanctuary Cities":

"Characterize the position of the Californian sanctuary cities along with the position of the entire California administration as absolutely and completely treacherous and disgusting. Stress that protecting an illegal rapist who raped an American child is the peak of wickedness and hypocrisy. Summarize in a statement that "sanctuary city" politicians should surrender their American citizenship, for they behave as true enemies of the United States of America"

Some more basic guidance shared by Project Lakhta was about how to target conservatives vs. liberals, such as "if you write posts in a liberal group, you must not use Breitbart titles. On the contrary, if you write posts in a conservative group, do not use Washington Post or BuzzFeed's titles."

We see the "headline theft" implied by this in some of their memes. For example, this Breitbart headline:

Became this Project Lakhta meme (shared by Stop All Immigrants):

Similarly this meme originally shared as a quote from the Heritage Foundation, was adopted and rebranded by Lakhta-funded "Stop All Immigrants":

Twitter Messaging and Specific Political Races

Many Twitter accounts shown to be controlled by paid members of the conspiracy were making very specific posts in support of or in opposition to particular candidates for Congress or Senate. Some examples listed in the Criminal Complaint include:

Several of the Project Lakhta Twitter accounts got involved in the Alabama Senate race, but to point out that the objective of Lakhta is CREATE DISSENT AND DISTRUST, they actually tweeted on opposite sides of the campaign:

"Anyone who believes that President Trump is responsible for #shutdown2018 is either an outright liar or horribly ignorant. #SchumerShutdown for illegals. #DemocratShutdown #DemocratLosers #DemocratsDefundMilitary #AlternativeFacts" (January 20, 2018)

@KaniJJackson on Parkland, Florida and the 2018 Midterm election:

"Reminder: the same GOP that is offering thoughts and prayers today are the same ones that voted to allow loosening gun laws for the mentally ill last February. If you're outraged today, VOTE THEM OUT IN 2018. #guncontrol #Parkland"

They even tweet about themselves, as shown in this pair of tweets!

@JemiSHaaaZzz (February 16, 2018):

"Dear @realDonaldTrump: The DOJ indicted 13 Russian nationals at the Internet Research Agency for violating federal criminal law to help your campaign and hurt other campaigns. Still think this Russia thing is a hoax and a witch hunt? Because a lot of witches just got indicted."

@JohnCopper16 (February 16, 2018):

"Russians indicted today: 13 Illegal immigrants crossing Mexican border indicted today: 0 Anyway, I hope all those Internet Research Agency f*ckers will be sent to gitmo."

The Russians are also involved in "getting out the vote" - especially of those who hold strongly divisive views:

@JohnCopper16 (February 27, 2018):

"Dem2018 platform - We want women raped by the jihadists - We want children killed - We want higher gas prices - We want more illegal aliens - We want more Mexican drugs And they are wondering why @realDonaldTrump became the President"

@KaniJJackson (February 19, 2018):

"Midterms are 261 days, use this time to: - Promote your candidate on social media - Volunteer for a campaign - Donate to a campaign - Register to vote - Help others register to vote - Spread the word We have only 261 days to guarantee survival of democracy. Get to work!

More recent tweets have been on a wide variety of topics, with other accounts expressing strong views around racial tensions, and then speaking to the Midterm elections:

@wokeluisa (another confirmed Project Lakhta account):

"Just a reminder that: - Majority black Flint, Michigan still has drinking water that will give you brain damage if consumed - Republicans are still trying to keep black people from voting - A terrorist has been targeting black families for assassination in Austin, Texas"

and then, also @wokeluisa: (March 19, 2018):

"Make sure to pre-register to vote if you are 16 y.o. or older. Don't just sit back, do something about everything that's going on because November 6, 2018 is the date that 33 senate seats, 436 seats in the House of Representatives and 36 governorships will be up for re-election."

And from @johncopper16 (March 22, 2018):

"Just a friendly reminder to get involved in the 2018 Midterms. They are motivated They hate you They hate your morals They hate your 1A and 2A rights They hate the Police They hate the Military They hate YOUR President"

Some of the many additional Twitter accounts controlled by the conspiracy mentioned in the Criminal Complaint:

Sunday, September 30, 2018

What do the numbers say about Cybercrime? Not much. No one is using them.

There is a popular quote often mis-attributed to the hero of Total Quality Management, Edward Deming: "If you can't measure it, you can't manage it."Its one of the first things I think about every year when the FBI releases their annual Crime Statistics Report, as they just did for 2017. (The "mis-attributed" is because for all the times he has been quoted, Deming actual said almost the exact opposite. What he actually said, in "The New Economics," was: "It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth.")

Despite being a misquote, I've used it often myself. There is no way to tell if you are "improving" your response to a crime type if you don't first have valid statistics for it. Why the quote always pops to mind, however, is because, in the case of cybercrime, we are doing a phenomenal job of ignoring it in official police statistics. This directly reflects the ability and the practice of our state and local law enforcement agencies to deal with online crime, hacking, and malware cases. Want to test it yourself? Call your local Police Department and tell them your computer has a virus. See what happens.

It isn't for lack of law! Every State in the Union has their own computer crime law, and most of them have a category that would be broadly considered "hacking." A quick reference to all 50 states computer crime laws is here: State Computer Crime Laws - and yet with a mandate to report hacking to the Department of Justice, almost nobody is doing it.

You may be familiar with the Uniform Crime Report, which attempts to create a standard for measurement of crime data across the nation. UCR failed to help us at all in Cybercrime, because it focused almost exclusively on eight major crimes that were reported through the Summary Reporting System (SRS):

To capture other crime types, the Department of Justice has been encouraging the adoption of the NIBRS - the National Incident-Based Reporting System. This system primarily focuses on 52 crime categories, and gathers statistics on several more. Most importantly for us, it includes several categories of "Fraud Crimes"

2 / 26A / False Pretenses/Swindle/Confidence Game

41 / 26B / Credit Card/ATM Fraud

46 / 26C / Impersonation

12 / 26D / Welfare Fraud

17 / 26E / Wire Fraud

63 / 26F / Identity Theft

64 / 26G / Hacking/Computer Invasion

Unfortunately, despite being endorsed by most every major law enforcement advocacy group, many states, including my own, are failing to participate. The FBI will be retiring SRS in 2021, and as of September 2018, many states are not projected to make that deadline:

https://www.fbi.gov/file-repository/ucr/nibrs-countdown-flyer.pdf

In the just-released 2017 data, out of the 18,855 law enforcement agencies in the United States, 16,207 of them submitted SRS "old-style" UCR data. Only 7,073 (42%) submitted NIBRS-style data.

Unfortunately, the situation when it comes to cybercrime is even worse. For SRS-style reporting, all cybercrimes are lumped under "Fraud". In 2016, SRS reported 10.6 Million arrests. Only 128,531 of these were for "Fraud" of which cybercrime would be only a tiny portion.

Of those eight "fraud type" crimes, the 2017 data is not yet available for detailed analysis (currently most of state data sets, released September 26, 2018, limit the data in each table to only 500 rows. Since, as an example, Hoover, Alabama, the only city in my state participating in NIBRS, has 3800 rows of data, you can see how that filter is inadequate for state-wide analysis in fully participating states!

Looking at the NIBRS 2016 data as a starting point, however, we can still see that we have difficulty at the state and local police level in understanding these crimes. In 2016, 6,191 law enforcement agencies submitted NIBRS-style data. Of those 5,074 included at least some "fraud type" crimes. Here's how they broke down by fraud offense. Note, these are not the number of CRIMES committed, these are the number of AGENCIES who submitted at least one of these crimes in 2017:

Only 189 of the nation's 18,855 law enforcement agencies submitted even a single case of "hacking/computer invasion" during 2016! When I asked the very helpful FBI NIBRS staff about this last year, they confirmed that, yes, malware infections would all be considered "64 - Hacking/Computer Invasion". To explore on your own, visit the NIBRS 2016 Map. Then under "Crimes Against Property" choose the Fraud type you would like to explore. This map shows "Hacking/Computer Intrusion." Where a number shows up instead of a pin, zoom the map to see details for each agency.

Filtering the NIBRS 2016 map for "Hacking/Computer Intrusion" reports

As an example, Zooming the number in Tennessee, I can now see a red pin for Nashville. When I hover that pin, it shows me how many crimes in each NIBRS category were reported for 2017, including 107 cases of Wire Fraud, 34 cases of Identity Theft, and only 3 cases of Hacking/Computer Invasion:

Clicking on "Nashville" as an example

I have requested access to the full data set for 2017. I'll be sure to report here when we have more to share.